Cross Site Scripting Vulnerabilities
This site intends to show how many sites on
the internet are completely vulnerable to a two year old
security problem. They refuse to fix the problem, while still
bragging about how secure their information is. Well, it's not.
- CERT : Advisory on Cross Site Scripting.
- CERT : How to fix it.
This site in the News:
- Developer.com :
An Oldie but Goodie: The Cross-Site Scripting Vulnerability
- Vnunet : Top sites vulnerable to hackers
- MSNBC : Citibank payment service said flawed
- eWeek : Flaw Leaves Online Citibank Customers Vulnerable
- InformationWeek : Security Researcher Says Citibank Took A While To 'C2' Security Flaw
- E-Commerce Times : E-Commerce Sites Fail Security 101
- Geek.com : Citibank payment system flaw
- NewsBytes:Net Users Warned To Beware Sites With Scripting Holes
- BankersOnline.com : Is your site secure?
I've also added banking sites with insecure logins. These sites are vulnerable even easier, man in the middle active attacks. Banks unfortunately ignore these easy attacks, focusing on harder attacks involving cracking encryption or breaking firewalls. These insecure login forms were never secured or encrypted, so they can be modified in transit to the user and rewritten to redirect logins to another site to capture login data. Banks should immediately redirect customers to secure sites to insure the accuracy of pages. Users should not use or trust any bank webpage that does not start with https.
Many sites rush their product out the door with out necessary
security precautions. In this day and age, no web site with
customer data to protect should go live with out and complete review
of existing security alerts from sites like CERT. In
addition, when running a site, if the site operator receives
specific information on security holes, they should act immediately
to protect the problem. Many sites have failed
to do this. Many crackers know this and will use
these holes if they are not fixed. A few of these holes in
Hotmail have been publicized, but other then that, many site's holes
have gone unfixed.
In the interest of safety we are starting a public
list of active security holes on live sites. We suggest that
want your data left open when you visit various websites.
For home users:
Here are some tips for making your computer more secure.
[ Thanks for all your donations.. I should be able to keep this going for a while now ]